November 10, 2010, 1:52 PM — While many IT security professionals regard intrusion-preventions systems to be a natural extension of intrusion-detection systems, an IPS is actually another type of access control mechanism, rather than simply a a sister to IDS. In fact, it may surprise you to know that the term IPS is actually younger than IDS. It is a colloquial term first used by Andrew Plato, a technical consultant with a major IT security vendor that, way back in the late 1990s, developed the industry's first IDS platform.
In its purest form, an IPS makes a number of access control decisions based on the content of the application, rather than taking a traditional firewall approach of monitoring IP addresses, ports and other connective links.
Back in 1998 Plato opined that a good IPS should feature a sophisticated analytical engine, but one that generates as few false positives as possible. Provided this is the case, he said at the time, then a good IPS has a number of advantages over IDS, since it can sit in line with an IP traffic flow and analyze the data stream in real time.
In addition, most modern IPS solutions also have the ability to analyze Layer 7 protocols such as FTP, HTTP and SMTP, and make decisions on whether to allow or quarantine the IP packets as required, even if the data is encrypted.
But are today's IPS platforms up to the task of scanning IP traffic at the high speeds needed in a modern IT environment?
The problem facing IT professionals is that, with the Internet growing at 40% to 60% a year (according to Atlas Internet Observatory), and against the backdrop of a mobile data explosion, it's important that IPS technology can keep up with this bandwidth growth and not become the bottleneck in the network.
It's also becoming clear that, on a typical network today, users are placing a very heavy load on each port of a multi-10G port system and, while there are IPS products available that are capable of supporting a multiple 10Gbps port topology, providing continuous 10Gbps throughput on these ports is a something of a challenge.
The most worrying part of this development is how IPS platforms can be scaled to meet the needs of 40G and 100G IPS technologies, which are set be introduced to the IT/network mix in the next few years.
Until a few years ago, it could be argued that IPS platforms were up to the task, especially since most adopted a core five-stage real-time analysis process that steps through a number of stages as various IT threats are encountered when monitoring data streams that flow both in and out of the IT resource.
The first stage is to bandwidth throttle any suspicious IP traffic to give the security software a chance to analyze the data stream -- say, an e-mail message stream -- and deal with suspect messages and/or attachments in real time.